Oracle Soa Suite 12C: Solving a bugGepubliceerd: Auteur: Michel Schildmeijer Categorie: Oracle
For a customer in the Netherlands, in the healthcare division, Qualogy is implementing Oracle SOA Suite 12c(12.1.3) and Oracle Service Bus 12c(12.1.3). For connection with a WebService to a backoffice system, we enabled SSL and the OWSM Policy oracle/wss_username_token_over_ssl_service_policy:
We enabled SSL on domain level, created the necessary keystores regarding trust and Identity. After restarting the domain, all alerts in the Fusion Middleware Console seems to have dissappeared.
Oracle raised an official bug for this, Bug 20599654 – OSB Pipeline alerts are not displayed in EM console when SSL is enabled which is under investigation at Oracle Product Development since begin of march, upto now.
What we saw appearing in the logs was that, when we enabled SSL at domainlevel, the OSB aggregator, which aggregates all OSB alert data, was not able to connect over the t3s protocol WebLogic uses for internal applications to connect with eachother over RMI. We saw these messages:
- Caused by: javax.naming.CommunicationException: t3://<hostname>.local:7010,<hostname>.local:7020: Destination <ip adress>, 7020 unreachable; nested exception is:
- java.net.ConnectException: Connection refused; No available router to destination [Root exception is java.net.ConnectException: t3://<hostname>.local:7010,<hostname>.local:7020: Destination <ip adress>, 7020 unreachable; nested exception is:
- java.net.ConnectException: Connection refused; No available router to destination]
- at weblogic.jndi.internal.ExceptionTranslator.toNamingException(ExceptionTranslator.java:40)
Besides of Product Development working on the bug, I started an investigation and found the solution for this.
These are the steps I took:
WebLogic Domain Level
Only the managed servers contained the SSL domain config; I also configured AdminServer not to use demo certificates but the configured trust and identity stores:
After further investigation, I discovered the Nodemanagers were not included to use the SSL keystore configuration, so I added to the nodemanager.properties ( in <Domain home>/nodemanager) on all hosts:
- CustomIdentityKeyStoreFileName=<location Identity Keystore >
- CustomIdentityKeyStorePassPhrase=<Password Identity Keystore>
- CustomIdentityAlias=<Alias in ID Keysotre >
- CustomIdentityPrivateKeyPassPhrase=<Password Identity Keystore>
After this, the Nodemanagers needs to be restarted. After restart you see the password entries are encrypted.
Also the entire domain had to be restarted. To check if the WebLogic domain was listening on SSL the linux command:
- netstat -ntpl | grep 70
Alerts in Fusion Middleware console
Now after restart, we saw that we are using SSL now. We generated some testmessages and did some pipeline validations, and voila.
Publicatiedatum: 20 april 2015